A paper released by the University of Cambridge, one of the United Kingdom's most famous universities, has quantified the security risk of Android devices by comparing the number of known vulnerabilities present on a sample of devices and compared how frequently these devices have been updated. The paper, written by Cambridge researchers Daniel Thomas, Alastair Beresford and Andrew Rice and partly funded by Google, details the methods the team used in order to assess and analyse the risk of devices being compromised, based on a sample of a little over 20,000 Android devices. One of the headline statistics is that eighty seven percent of devices tested were vulnerable to at least one of the eleven wide scale security flaws discovered in the last five years. However, the researchers' efforts go much deeper than this and they have constructed a means of comparing different device manufacturers and carriers, providing them with a score as to how quickly they have updated devices in order to fix security weaknesses.
The research paper discusses in detail how Android devices are updated in order to keep them secure from known vulnerabilities. There are five groups that are involved in updating Android, including the network operators, device manufacturers, hardware developers, Google and the various open source projects involved, such as the LINUX kernel developers, OpenSSL, BouncyCastle and hardware drivers. Google builds the Android code from a variety of sources, which may require fixing from time to time – once the Android source code has been written, the device manufacturers receive it so as to prepare software for their handsets. Once this is ready, it may be passed to the network operator for testing or customization (it's at this point that "value added" or "bloat" is bundled into the software) and finally, the update is released to customer devices. Not all devices have the additional carrier testing overhead – most Google Nexus devices and those bought unlocked from the manufacturer circumvent the carrier. However, to those customers who have an interest in device software updates and have experience a carrier-branded smartphone, it should come as no surprise that the carrier-free Google Nexus devices score considerably higher than all other devices when it comes to being kept up to date (and secured) against known critical vulnerabilities.
The key metric of the paper is what the team have called the "FUM" score. This score has been published online and consists of the "F," being the proportion of devices free from known critical vulnerabilities. "U" consists of the proportion of devices updated to the latest software version and "M" is the number of vulnerabilities yet to be fixed by a particular manufacturer. The researchers weigh the different components depending on importance and produce a statistic after the calculations, where the higher the FUM score, the more robust the security updating process. For device and manufacturer scores, the Google Nexus line scored 5.2, followed by LG's 4.0, Motorola's 3.1, Samsung with 2.8. Both Sony and HTC score 2.6. For carriers, O2 UK scored the highest with 3.9 followed by T-Mobile with 3.8, Orange (UK) with 3.7, Sprint and Three (UK) with 3.4. The paper is careful to explain that carrier data is heavily influenced by the device manufacturer of their portfolio. The FUM score is being used by at least one of the UK's largest quoted companies to determine the more secure Android smartphone device and carrier available. You can check individual scores at this website.
Going forwards, the University of Cambridge's report highlights and quantifies what the industry already knows – the Android update process is, to be blunt, a mess. There has been little incentive for manufacturers to release interim software updates in order to patch known weaknesses because the end customer has not been aware of the risk. This is slowly changing. Google has recently promised to release security updates at least once a month and we've seen both LG and Samsung promise to follow these. We have also seen other manufacturers, most noticeably HTC, state that it is unrealistic to expect monthly updates where there is a carrier involved. Metrics such as the FUM score will start to increase customer awareness of the need to keep devices up to date and so secured from security threats – and this will make life all the harder for the smaller Android manufacturers in the market, such as HTC and Sony. This could also change the industry as one of the reasons why manufacturers struggle to keep software up to date is the need to redesign some of the code to suit their particular user interface. For the Google Nexus devices, and those devices that are closer to the stock Google experience (such as many Motorola smartphones from 2013 onwards), this process should be easier for the manufacturer.
Another of the headline statistics revealed in the report is the average number of software updates received per Android device over the five year test period. It's just 1.26, or over a typical two year contract, customers typically receive two or three software updates. Google intends to change this by releasing software patches for older devices, but faces a difficult challenge getting the manufacturers and networks onboard. We've already seen how Android 6.0 Marshmallow includes a patch date entry in the device so that the customer is aware of the date of the last update. For the Nexus devices, this average update score should be around the 12 point – one update per month. It remains to be seen how the rest of the industry performs.
Researcher Andrew Rice says this about the report: "The security community has been worried about the lack of security updates for Android devices for some time. Our hope is that by quantifying the problem, we can help people when choosing a phone and that this in turn will provide an incentive for manufacturers and operators to deliver updates."